Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

Published byJaden Wade Modified over 11 years ago

Similar presentations

Presentation on theme: "1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs."— Presentation transcript:

1 1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs

2 2 Is hardware really finite state? l Unbounded/infinite structures may be appropriate... – For model checking, sometimes 64 = 64 bit words, large address spaces, etc. –Configurations not known a priori –Hardware processes (conceptually) infinite sequences e.g., a packet router Thus, for hardware verification, it is useful to be able to treat data structures of unknown or infinite size

3 3 Methodology l Split property into case based on parameter –e.g., memory output correct when addr = 0 l Reduce data types –map type address to 0 and not 0 –abstract Mem[not 0] to unknown –problem becomes finite state -- apply model checking l Apply symmetry –case addr = 0 implies all other cases Reduce unbounded types to fixed finite types by abstraction

4 4 Uninterpreted functions l Advantages of uninterpreted functions –Generic verification –Separate plumbing from arithmetic –Preserve symmetry This methodology also allows us to use uninterpreted functions in model checking. Many functions can be abstracted this way, for example, the mapping function of a cache, or the routing table of a packet router.

5 5 Refinement framework Reference model System Translations l Refinement relations –Specify intermediate results with respect to reference model –Each intermediate result uses finite operations storage locations –Thus, can reduce local verification problems to finite state

6 6 SPEC P PA Decomposing arrays i

7 7 Temporal case splitting l Prove separately that p holds at all times when v = i. l Path splitting v record register index i

8 8 Implementation in SMV system In general, we can split cases using any set of assertions q i, where SMV can determine that _ i q i = 1. Example: v : T; s : assert G p ; forall (i in T) subcase c[i] of s for v = i; c[0] : assert G (v=0 ) p) ; c[1] : assert G (v=1 ) p) ;... forall (i in T) subcase c[i] of s for v = i when r; i.e., can split cases on future value of a variable

9 9 SPEC Case explosion P PA i k... may even be unbounded. Number of cases may explode exponentially...

10 10 Exploiting symmetry l Symmetric types –Semantics invariant under permutations of type. –Enforced by type checking rules. l Symmetry reduction rule * i is of scalarset type * P references only constants 0..k-1 of type (related: Murphi) SMV can select a finite set of representative cases under symmetry.

11 11 Data type reductions l Problem: unbounded or infinite data types l Solution: reduce to finite types by abstraction where T\i represents all the values in T except i. l Need a property-preserving abstract interpretation Abstraction must be both sound and generically applicable.

12 12 Data type reduction in SMV l Values in reduced model M are sets l For sound abstraction of operator f, we need: l Examples: –Equality

13 13 Abstraction, continued... –Array references a[x]...becomes... (x=i) ? a[i] : –Other operators... Unbounded array reduced to one fixed element! etc... Must also account for quantifiers, temporal operators, etc...

14 14 l Thus, ifthen Property preserving abstractions l Homomorphism from M to M...but we may get

15 15 Illustration: Tomasulos algorithm l Execute instructions in data flow order OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE

16 16 Unbounded resources l The following types are left undefined: –REG (register file indices) –TAG (reservation station indices) –EU (execution unit indices) –WORD (data words) This allows for an unbounded (or infinite) number of registers, reservation stations, execution units, and bits in the data word.

17 17 Compositional rule l Decompose into two lemmas OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS TAGGED RESULTS INSTRUCTIONS VAL/TAG REG FILE Lemma 1: Correct operands Lemma 2: Correct results Computing each result and operand uses finite resources

18 18 Lemmas in SMV l Operand correctness forall (k in TAG) layer lemma1 : if (rs[k].valid & rs[k].opra.valid) rs[k].opra.val := aux[k].opra; l Result correctness forall (i in TAG) layer lemma2[i] : if (rb.tag = i & rb.valid) rb.val := aux[i].res; Note: only two signals specified in proof

19 19 Path splitting in Tomasulo OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS "cone of influence" eliminates

20 20 Symmetry reduction in operands lemma OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS i j k l Symmetry reduces unbounded cases to two cases: (i = 0, j = 0, k = 0) (i = 0, j = 0, k = 1)

21 21 Type reduction l Reduce types of undefined range to finite types l Specific reduction is chosen based on property parameters TAG {i,k,~{i,k}} REG {j,~{j}} l Reduces variable encodings to –1 bit per variable of type REG –2 bits per variable of type TAG What about data words? i.e., only include values we care about in reduced types

22 22 OP,DST Uninterpreted functions l Verify Tomasulo for arbitrary EU function f(a,b). f(a,b) RESULTS INSTRUCTIONS SPEC OP,DST opraoprb opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG TAGGED RESULTS f(a,b) (related: Burch, Dill, Jones, etc...)

23 23 Case splitting l Prove result correctness only for specific cases, e.g. opra = 0, oprb = 1, f[0][1] = 2 OP,DST 01 opraoprb OP,DST opraoprb f(a,b) OPS INSTRUCTIONS REG FILE VAL/TAG 2 3! = 6 cases verified (related: Hojati, Singhal, Bryant, Clarke)

24 24 Result l Verification problem reduced to tractable finite problems –Max 25 state bits –11 cases of lemmas to verify after symmetry –Verification time less than 4 seconds l Tomasulo implementation proved for –Arbitrary number of registers, reservation stations –Arbitrary data word size and EU function note -- unbounded EUs requires one more lemma l The proof is concise and robust details in the paper...but in what way robust?

25 25 Adding in-order retirement OP,DST opraoprb OP,DST opraoprb OP,DST opraoprb EU OPS RETIRED RESULTS INSTRUCTIONS VAL/TAG REG FILE BUF RES Forwarded results...in order of entry

26 26 Reusing the proof l Why? –Refinement relations only specify two signals: operand registers and result bus –Function of these signals did not change New version is verified without modifying one proof line... Because a model checker computes the reachable states, we do not have to specify invariants of most signals. This improves reusability of the proof.

27 27 Comparison to symbolic simulation l Use uninterpreted functions to abstract out arithmetic l Generating flushing function can be automatic –in practice, manual decompositions are required l Inductive invariants can be complex –reduces reusability of proof flush impl spec require inductive invariant for this state

28 28 Other related work l Data independence (Wolper) –require control to be independent of data –does not reduce the size of arrays l Lazic and Roscoe –complete procedure (for determinism) –limitations to avoid undecidability: no comparison of array elements (i.e., no cache tags) no array indices stored in arrays (i.e., no Tomasulo) –present method is (necessarily) incomplete

29 29 Other applications l Data type reductions –One-address abstraction in cache coherence –Content-addressable memories –Infinite packet streams –Circular buffers l Uninterpreted functions –Routing tables, address decoding –Hash functions (e.g., in caches) –Replace any symmetry-breaking function using ordered types, inductive proofs

30 30 Conclusion l Hardware verification can involve large or unbounded structures –problem for finite state methods l Case splitting and data type reduction: –combine with compositional methods –reduce to small finite scalars and arrays fewer manual decompositions –allows MC with uninterpreted functions avoid writing inductive invariants –concise, robust proofs with high degree of automation

Download ppt "1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs."

Similar presentations

A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.

A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
2. Getting Started Heejin Park College of Information and Communications Hanyang University.

2. Getting Started Heejin Park College of Information and Communications Hanyang University.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.

Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.
1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Using Matrices in Real Life

Using Matrices in Real Life
Inference in First-Order Logic

Inference in First-Order Logic
Analysis of Computer Algorithms

Analysis of Computer Algorithms
Compositional Methods and Symbolic Model Checking

Compositional Methods and Symbolic Model Checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.

© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.
11 Copyright © 2005, Oracle. All rights reserved. Using Arrays and Collections.

11 Copyright © 2005, Oracle. All rights reserved. Using Arrays and Collections.

Similar presentations

Ads by Google